b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   The Internal Revenue Service\xe2\x80\x99s Federal\n                   Financial Management Improvement Act\n                  Remediation Plan As of December 31, 2005\n\n\n\n                                            March 2006\n\n                              Reference Number: 2006-10-069\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                     WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               March 28, 2006\n\n\n MEMORANDUM FOR CHIEF FINANCIAL OFFICER\n\n FROM:                           Michael R. Phillips\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 The Internal Revenue Service\xe2\x80\x99s Federal Financial\n                                 Management Improvement Act Remediation Plan As of\n                                 December 31, 2005 (Audit # 200610011)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) Federal\n Financial Management Improvement Act of 1996 (FFMIA)1 remediation plan as of\n December 31, 2005. The overall objective of this review was to identify any instances of and\n reasons for missed intermediate target dates established in the IRS\xe2\x80\x99 FFMIA remediation plan.\n We also evaluated, in general, whether the IRS was meeting its responsibilities in fulfilling the\n intent of the FFMIA. The review was performed to meet our requirement under the FFMIA that\n each Inspector General report to Congress instances and reasons when an agency has not met the\n intermediate target dates established in the remediation plan.\n\n Synopsis\n From our review of all 38 open remedial actions as of December 31, 2005, we determined no\n intermediate target dates were missed; however, 23 dates were extended. Although the IRS has\n reasonable explanations for the extended dates, these delays could further hinder the IRS\xe2\x80\x99 ability\n to timely resolve the reported issues that cause its noncompliance with the FFMIA.\n Also, each of the 38 open remedial actions had an intermediate target date that extended more\n than 3 years from the initial reporting of the financial weakness. As required, the IRS, through\n the Department of the Treasury, properly obtained Office of Management and Budget\n concurrence to extend its corrective actions beyond the 3-year limitation.\n\n\n\n 1\n     Pub. L. No. 104-208, 110 Stat. 3009.\n\x0c                   The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                    Improvement Act Remediation Plan As of December 31, 2005\n\n\n\nOur analysis of individual project resources listed in the December 31, 2005, remediation plan\nindicated that timely completion of up to 25 open remedial actions is in jeopardy due to\nsignificant funding shortfalls. These remedial actions relate to computer security enhancements\nincluding application and systems access controls, configuration management, expanded audit\ntrails, and contingency and disaster recovery planning. The IRS indicated that, as a result of its\nfunding shortfalls, it plans to completely reevaluate existing target due dates for remedial actions\nrelating to computer security later in Fiscal Year 2006.\nThe IRS also indicated that the resources necessary for the continued development of the\nCustodial Detail Data Base (CDDB), which is a key financial management project, are not\navailable beyond Fiscal Year 2006. The IRS currently plans to develop a new action plan to\naddress future releases of the CDDB by October 1, 2006, pending funding availability at that\ntime. Finally, the IRS reported that it plans to continue to delay development of future releases\nof the Integrated Financial System (IFS)2 due to a lack of funding. The delayed future IFS\nreleases address longstanding financial weaknesses relating to the IRS\xe2\x80\x99 lack of reliable cost\naccounting information and inadequate control over its fixed asset records.\nThe delays caused by the rescheduling and suspension of needed remediation actions further\nhinder the IRS\xe2\x80\x99 ability to timely resolve the reported issues that cause its ongoing noncompliance\nwith the FFMIA. For example, the CDDB, when fully implemented, is designed to address\nlongstanding financial weaknesses relating to the IRS\xe2\x80\x99 inability to routinely generate reliable and\ntimely financial management information. In addition, until the IRS completes its revised plans,\nwe will be unable to reliably assess the IRS\xe2\x80\x99 progress in resolving many of the significant\nfindings and recommendations reported in the FFMIA remediation plan.\n\nRecommendation\nWe made no specific remediation plan recommendations as a result of the analyses performed\nduring this audit. However, IRS management reviewed a draft of this report and agreed with the\nfacts and findings presented.\nCopies of this report are also being sent to the IRS managers affected by the report results.\nPlease contact me at (202) 622-6510 if you have questions or Daniel R. Devlin, Assistant\nInspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at\n(202) 622-8500.\n\n\n\n\n2\n The IFS serves as the IRS\xe2\x80\x99 core financial management system for its administrative activities. See Appendix IV\nfor a more detailed description of the IFS and other systems/projects mentioned in this report.\n                                                                                                                  2\n\x0c                       The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                        Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n\n                                             Table of Contents\n\nBackground ............................................................................................................Page 1\n\nResults of Review .................................................................................................Page 2\n          Many Intermediate Target Dates Were Extended...........................................Page 2\n          Timely Completion of Many Remedial Actions Is Doubtful .........................Page 3\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ..........................Page 4\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ..........................................Page 5\n          Appendix III \xe2\x80\x93 Report Distribution List .........................................................Page 6\n          Appendix IV \xe2\x80\x93 Financial Management Remedial Action Projects.................Page 7\n\x0c                      The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                       Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n\n                                           Background\n\nThe Federal Financial Management Improvement Act of 1996 (FFMIA)1 established in statute\ncertain financial management systems requirements that were already established by Executive\nBranch policies. The FFMIA was intended to advance Federal Government financial\nmanagement by ensuring Federal management systems can and do provide reliable, consistent\ndisclosure of financial data. Further, this disclosure should be done on a basis that is uniform\nacross the Federal Government from year to year, by consistently using professionally accepted\naccounting standards. Specifically, FFMIA section (\xc2\xa7) 803 (a) requires each agency to\nimplement and maintain systems that comply substantially with:\n      \xe2\x80\xa2    Federal Government financial management systems requirements.\n      \xe2\x80\xa2    Applicable Federal Government accounting standards.\n      \xe2\x80\xa2    The United States Government Standard General Ledger at the transaction level.\nAuditors are required to report on agency compliance with the three stated requirements as part\nof financial statement audit reports. Agency heads are required to determine, based on the audit\nreport and other information, whether their financial management systems comply with the\nFFMIA. If the agency\xe2\x80\x99s financial systems do not comply, the agency is required to develop a\nremediation plan that describes the resources, remedies, and intermediate target dates for\nachieving compliance and file the plans with the Office of Management and Budget. In addition,\nFFMIA \xc2\xa7 804 (b) requires agency Inspectors General to report to Congress instances and reasons\nwhen an agency has not met the intermediate target dates established in its remediation plan.\nIn the last several years, the Government Accountability Office has reported numerous financial\nmanagement weaknesses in its audits of the Internal Revenue Service\xe2\x80\x99s (IRS) annual financial\nstatements and related assessments of internal control. Due to these weaknesses, the IRS\xe2\x80\x99\nfinancial management systems have not been in substantial compliance with the requirements of\nthe FFMIA; consequently, the IRS has been required to prepare and maintain a remediation plan.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the office\nof the Chief Financial Officer, during the period October 2005 through February 2006. The\naudit was conducted in accordance with Government Auditing Standards. Detailed information\non our audit objective, scope, and methodology is presented in Appendix I. Major contributors\nto the report are listed in Appendix II.\n\n\n\n\n1\n    Pub. L. No. 104-208, 110 Stat. 3009.\n                                                                                            Page 1\n\x0c                The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                 Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n\n                                Results of Review\n\nMany Intermediate Target Dates Were Extended\nDuring Calendar Year 2005, the IRS reported it cancelled 1 and added 67 remedial actions to the\n12 open remedial actions listed in its December 31, 2004, remediation plan. The Computer\nSecurity and Custodial Detail Data Base (CDDB) projects accounted for most of these new\nremedial actions. The cancelled remedial action related to the monitoring of a project that was\nsubsequently cancelled, eliminating the need for the remediation action.\nAlso during Calendar Year 2005, the IRS reported it completed 40 remediation actions, leaving\n38 open remedial actions in its December 31, 2005, remediation plan. All of these open actions\nwere associated with four major financial management projects or issues (see Appendix IV for a\ndescription of each project).\n   \xe2\x80\xa2   CDDB - 11 remedial actions.\n   \xe2\x80\xa2   Automated Trust Fund Recovery (ATFR) System \xe2\x80\x93 1 remedial action.\n   \xe2\x80\xa2   Integrated Financial System (IFS) \xe2\x80\x93 1 remedial action.\n   \xe2\x80\xa2   Computer Security \xe2\x80\x93 25 remedial actions.\nOur review of the 38 open remedial actions indicated that no intermediate target dates were\nmissed; however, 23 dates were extended. The IRS reported in its remediation plan that\nextensions of intermediate target dates were necessary due to the following:\n   \xe2\x80\xa2   CDDB (six actions extended) \xe2\x80\x93 Target dates were revised to reflect experience gained\n       during initial project implementation and to allow additional time for developing system\n       interfaces.\n   \xe2\x80\xa2   ATFR System (one action extended) \xe2\x80\x93 Target date was revised to allow more time to\n       evaluate the effectiveness of the ATFR system.\n   \xe2\x80\xa2   IFS (one action extended) \xe2\x80\x93 An action plan was developed to address future releases\n       delayed pending future funding availability.\n   \xe2\x80\xa2   Computer Security (15 actions extended) \xe2\x80\x93 Target dates were revised due to delays in\n       completing procedures and training relating to system configuration, system access\n       controls, and audit trails, as well as to allow additional time to coordinate actions\n       requiring multifunctional input.\n\n\n                                                                                          Page 2\n\x0c                 The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                  Improvement Act Remediation Plan As of December 31, 2005\n\n\n\nAlthough the IRS has reasonable explanations for the extended intermediate target dates, these\ndelays could further hinder the IRS\xe2\x80\x99 ability to timely resolve the reported issues that cause its\nnoncompliance with the FFMIA.\nEach of the 38 open remedial actions had an intermediate target date that extended more than\n3 years from the initial determination that IRS financial management systems were not in\nsubstantial compliance with the FFMIA. As required, the IRS, through the Department of the\nTreasury, properly obtained Office of Management and Budget concurrence to extend its\ncorrective actions beyond the 3-year limitation.\nWe did not identify any additional recommendations that would have required inclusion in the\nIRS\xe2\x80\x99 remediation plan as a result of the Government Accountability Office\xe2\x80\x99s Fiscal Year 2005\nfinancial statement audit.\n\nTimely Completion of Many Remedial Actions Is Doubtful\nOur analysis of individual project resources listed in the December 31, 2005, remediation plan\nindicated that timely completion of up to 25 open remedial actions is in jeopardy due to\nsignificant funding shortfalls. These remedial actions relate to computer security enhancements\nincluding application and systems access controls, configuration management, expanded audit\ntrails, and contingency and disaster recovery planning. The IRS indicated that, as a result of its\nfunding shortfalls, it plans to completely reevaluate existing target due dates for remedial actions\nrelating to computer security later in Fiscal Year 2006. The IRS reported a projected funding\nshortfall of at least $43 million for computer security.\nThe IRS also indicated that the resources necessary for the continued development of the CDDB,\nwhich is a key financial management project, are not available beyond Fiscal Year 2006. The\nIRS currently plans to develop a new action plan to address future releases of the CDDB by\nOctober 1, 2006, pending funding availability at that time. The IRS reported a projected funding\nshortfall of $13 million for the CDDB. The IRS also reported that it plans to continue to delay\ndevelopment of future releases of the IFS due to a lack of funding. The delayed future IFS\nreleases address longstanding financial weaknesses relating to the IRS\xe2\x80\x99 lack of reliable cost\naccounting information and inadequate controls over its fixed asset records.\nThe delays caused by the rescheduling and suspension of needed remediation actions further\nhinder the IRS\xe2\x80\x99 ability to timely resolve the reported issues that cause its ongoing noncompliance\nwith the FFMIA. For example, the CDDB, when fully implemented, is designed to address\nlongstanding financial weaknesses relating to the IRS\xe2\x80\x99 inability to routinely generate reliable and\ntimely financial management information. In addition, until the IRS completes its revised plans,\nwe will be unable to reliably assess the IRS\xe2\x80\x99 progress in resolving many of the significant\nfindings and recommendations reported in the FFMIA remediation plan.\n\n\n\n                                                                                             Page 3\n\x0c                      The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                       Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n                                                                                     Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to report to Congress, as required by the Federal\nFinancial Management Improvement Act of 1996 (FFMIA),1 any instances of and reasons for\nmissed intermediate target dates established in the Internal Revenue Service\xe2\x80\x99s (IRS) FFMIA\nremediation plan as of December 31, 2005. We also evaluated, in general, whether the IRS was\nmeeting its responsibilities in fulfilling the intent of the FFMIA. To accomplish our objective,\nwe:\nI.         Gained an understanding of the requirements of the FFMIA, including Office of\n           Management and Budget and Department of the Treasury guidance for compliance with\n           the Act.\nII.        Determined whether the IRS\xe2\x80\x99 remediation plan was consistent with Government\n           Accountability Office recommendations from prior IRS financial audits and related\n           financial management reports.\nIII.       Determined whether 1) the IRS missed any intermediate target dates established in its\n           remediation plan, 2) intermediate target dates were extended without sufficient\n           documentation to support the revised date, and 3) proper approval was obtained for\n           remedial actions extending more than 3 years.\nIV.        Determined whether the IRS remediation plan had established resource needs for\n           remedial actions and the resources presented were consistent with other IRS\n           modernization resource budgets.\nV.         Determined whether the IRS had taken adequate corrective actions on prior reported audit\n           findings.\n\n\n\n\n1\n    Pub. L. No. 104-208, 110 Stat. 3009.\n                                                                                             Page 4\n\x0c                The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                 Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nDaniel R. Devlin, Assistant Inspector General for Audit (Headquarters Operations and Exempt\nOrganizations Programs)\nJohn R. Wright, Director\nAnthony J. Choma, Audit Manager\nPhilip A. Smith, Lead Auditor\nChinita Coates, Auditor\nRashme Sawhney, Auditor\n\n\n\n\n                                                                                       Page 5\n\x0c               The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nOffice of Management Controls OS:CFO:AR:M\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nAudit Liaison: Chief Financial Officer OS:CFO\n\n\n\n\n                                                                        Page 6\n\x0c                    The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                     Improvement Act Remediation Plan As of December 31, 2005\n\n\n\n                                                                                                Appendix IV\n\n     Financial Management Remedial Action Projects\n\nThe Internal Revenue Service (IRS) has initiated four significant financial management projects\nin response to the various material weaknesses identified by the Government Accountability\nOffice relating to the Federal Financial Management Improvement Act of 1996.1 The IRS\ndescribed the functionality of the projects contained in its remediation plan as follows:\nCustodial Detail Data Base (CDDB): To more accurately report a single balance due for Trust\nFund Recovery Penalty (TFRP) assessments and determine areas for improvement, the IRS\nChief Financial Officer developed a TFRP database. The TFRP database is the first release of\nthe Financial Management Information System enhancement to the CDDB that will enable the\nIRS to address many of the outstanding financial management recommendations. Full CDDB\nfunctionality will be accomplished in 4 releases over 3 years.\n    \xe2\x80\xa2   Release I \xe2\x80\x93 Unpaid Assessments subledger.\n    \xe2\x80\xa2   Release II \xe2\x80\x93 Master File2 transactions and Electronic Funds Transfer Payment System3\n        preposted transactions.\n    \xe2\x80\xa2   Release III \xe2\x80\x93 All other preposted revenue receipt transactions and refund transactions.\n    \xe2\x80\xa2   Release IV \xe2\x80\x93 Frozen Credit subledger and Excise Tax Allocations.\nAutomated Trust Fund Recovery (ATFR) System: The ATFR system provides the capability\nto systematically upload TFRP assessments from the Area Offices and properly cross-references\npayments received for assessments made. The ATFR system replaced manual processes for\nassessing penalties and cross-referencing payments and will ensure compliance with Government\nAccountability Office requirements and accounting standards. The IRS reviewed the revised\nTFRP process in December 2005 and identified three areas in which additional actions are\nneeded to address deficiencies. The IRS is in the process of developing an action plan to address\neach of these deficiencies.\nIntegrated Financial System (IFS): The IFS, when fully implemented, will provide the IRS\nwith an integrated accounting system to account for and control resources. The first release of\nthe IFS includes the General Ledger, Accounts Receivable, Accounts Payable, Funds and Cost\nManagement, and Financial Reporting, as well as Budget Formulation.\n\n1\n  Pub. L. No. 104-208, 110 Stat. 3009.\n2\n  The IRS database that stores various types of taxpayer account information. This database includes individual,\nbusiness, and employee plans and exempt organizations data.\n3\n  The IRS system that allows taxpayers to make their Federal tax payments electronically.\n                                                                                                            Page 7\n\x0c                   The Internal Revenue Service\xe2\x80\x99s Federal Financial Management\n                    Improvement Act Remediation Plan As of December 31, 2005\n\n\n\nRelease 2 was to focus on asset management and a software technical and functional upgrade,\nincluding the configuration efforts to allow use of the enhanced features in the cost accounting\nand finance modules. Procurement Management was planned for Release 3. All remaining\nfunctionality, with the exception of Travel Management, was planned for Release 4. Travel\nManagement has been deleted from the functional requirements as a result of the Federal\nGovernment-wide travel system development efforts.\nComputer Security: This project addresses internal control deficiencies cited in various audits;\ninitiates efforts to develop controls implemented at campuses,4 field offices, and post-of-duty\noffices to ensure uniformity and consistency; develops appropriate means through which the IRS\ncan carry out periodic reviews of the effectiveness of policies and procedures, along with means\nto address security breaches; updates access control standards to reflect changes in technology\nand operating environments; provides computer security training to personnel; and conducts\ncomputer security self-assessment reviews that identify and alleviate vulnerabilities on a\nproactive basis.\nBased on recent Treasury Inspector General for Tax Administration findings during the review\nof the computer security material weakness, the Mission Assurance and Security Services\norganization, in partnership with the Chief Information Officer, has developed new program\naction plans for the following six issues: (1) Access Controls, (2) Rules of Behavior, (3) Audit\nTrails, (4) Training, (5) Process Authorizations (Certifications and Accreditations), and\n(6) Disaster Recovery.\n\n\n\n\n4\n The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                         Page 8\n\x0c'